Configuring the Jail

Next, read the part of the man page titled "Configuring the Jail." It will tell you how to configure a few settings within the jail. I made these changes to the jail directly from the host environment (that is, I did not start the jail; I modified the files from outside). These are things I changed, but I can't point to a man page as to why it's a good thing to do these things:

adjkerntz. I'm not sure about this. I commented out the /etc/crontab entry for adjkerntz within the jail environment. If you don't do this, you'll see this type of notification from cron via email:

adjkerntz[11643]: sysctl(put_wallclock): Operation not permitted

/etc/ssh. I was actually duplicating an existing physical machine into this environment. Therefore, copying over the keys from this directory will avoid "WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!" warning messages. If you are creating a new environment, you don't have to worry about this step.

This is a very limited script. It doesn't check that a jail is already running before starting it. That would be a nice addition. If you want to add it, I look forward to your patch.

In addition, you might want to add this to the host environment's /etc/sysctl.conf:

security.jail.set_hostname_allowed

Under 4.*, this variable had a slightly different name.

Jails Run Well

Jails run virtual machines very well. They look very much like real systems. You must look pretty close to be able to tell you're in a jail. My jail allows the Bacula developers to have a machine of their own. It also allows me to keep their work totally separate from my own.

You can use a jail used to deal with security issues and to increase the utilization of an existing machine while giving everyone their own virtual machine. There's no reason why you couldn't run many different jails on the same computer.

Dan Langille
runs a consulting group in Ottawa, Canada, and lives in a house ruled by felines.